dcrat | 532b46d98ca73deb0d04d76e228b8fb842e235e5fcc3aecb7610648baa38eb38

General

Target

2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe
Size

1.4MB
MD5

8645fd54fac7c386197853edb3e2cd8a
SHA1

69eba481f214340e8e770e0f9fb4dab65afcd781
SHA256

2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6
SHA512

9ed245b14d6049c8be54d19f4b4be33eb1e43d4a32111242de661f690aec03284a38ee3630fdfd1d4ba924ec0928dfdf6fdce803fe82b35efcfbe68e89358bca
SSDEEP

24576:8kGAQ2YTEip1A1+dNOL0RCcJNWDKmj8Tc6dhtN3fucovGLPqhmr5ptQBodIF/pGz:8kGAQ61+dkL0y6dhHfucovgPEmr5pGBa

Score

10^/10

dcrat infostealer rat spyware

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3164-133-0x0000000000400000-0x000000000051A000-memory.dmp	dcrat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ipinfo.io
43 ipinfo.io

flow	ioc
42	ipinfo.io
43	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe

description	pid	process	target process
PID 3144 set thread context of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3032 3144 WerFault.exe 2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe
Modifies registry class 1 IoCs

Processes:

vbc.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings vbc.exe

pid	pid_target	process	target process
3032	3144	WerFault.exe	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	vbc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

vbc.exe

pid	process
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe
3164	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vbc.exe

pid process

3164 vbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 3164 vbc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

3164 vbc.exe

description	pid	process
Token: SeDebugPrivilege	3164	vbc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exevbc.exe

description	pid	process	target process
PID 3144 wrote to memory of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe
PID 3144 wrote to memory of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe
PID 3144 wrote to memory of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe
PID 3144 wrote to memory of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe
PID 3144 wrote to memory of 3164	3144	2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe	vbc.exe
PID 3164 wrote to memory of 2172	3164	vbc.exe	WScript.exe
PID 3164 wrote to memory of 2172	3164	vbc.exe	WScript.exe
PID 3164 wrote to memory of 2172	3164	vbc.exe	WScript.exe
PID 3164 wrote to memory of 3492	3164	vbc.exe	WScript.exe
PID 3164 wrote to memory of 3492	3164	vbc.exe	WScript.exe
PID 3164 wrote to memory of 3492	3164	vbc.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe
"C:\Users\Admin\AppData\Local\Temp\2ff5f44dd978997ba618bab8bf6ee9900aa005f244db185c98ba5cbecb6866d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3164

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b85888f-b684-48e0-85b0-5cd9d81b59c2.vbs"
3⤵
PID:2172

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb2a4a75-e875-4c96-b9a5-e45d2ac8af63.vbs"
3⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 268
2⤵
- Program crash
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3144 -ip 3144
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

Web Service

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b85888f-b684-48e0-85b0-5cd9d81b59c2.vbs

Filesize
729B

MD5
b28445bd9b4818bc8592781d4f131dc7

SHA1
546a411f181c9711767ddbbff3db87ab02b83c7d

SHA256
67bbb5a7fbae0647ba909e34030fe1f1a552b6693fc34fc767cf49a07df4512e

SHA512
93b782eb62a60c1a253a0d579513cd046b5b39928fb8acfa0124994a63611b73cc2a89b719a925911178243c70ab2c775f43984c64664e5d9b924a3a53456ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb2a4a75-e875-4c96-b9a5-e45d2ac8af63.vbs

Filesize
505B

MD5
27bdf2b13c43dd93b0ce3c9010fa27be

SHA1
2d84a99ede46ededc6e7d900acd5244e4d9b782e

SHA256
551eab90bf5a4d4d624273ae076293d6a68203ea67afe8e5df272696a959e0da

SHA512
c4bf493a9b0643b52d64cbdd261729c9433ff14ffd741e66761cca975d195aad9c09f4e9d4e56fc226fc250663c579982b9a5f46f1733d49f893eff580080793

Download Submit
memory/2172-143-0x0000000000000000-mapping.dmp

Download
memory/3164-132-0x0000000000000000-mapping.dmp

Download
memory/3164-133-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/3164-138-0x0000000006590000-0x0000000006B34000-memory.dmp

Filesize
5.6MB

Download
memory/3164-139-0x0000000006220000-0x00000000062B2000-memory.dmp

Filesize
584KB

Download
memory/3164-140-0x0000000006430000-0x0000000006480000-memory.dmp

Filesize
320KB

Download
memory/3164-141-0x0000000007070000-0x000000000759C000-memory.dmp

Filesize
5.2MB

Download
memory/3164-142-0x0000000006BB0000-0x0000000006C16000-memory.dmp

Filesize
408KB

Download
memory/3164-147-0x00000000080C0000-0x00000000080CA000-memory.dmp

Filesize
40KB

Download
memory/3492-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads